compliance controls are associated with this Policy definition 'Endpoint protection should be installed on your machines' (1f7c564c-0a90-4d44-b7e1-9d456cffaee8)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
Azure_Security_Benchmark_v3.0 |
ES-2 |
Azure_Security_Benchmark_v3.0_ES-2 |
Microsoft cloud security benchmark ES-2 |
Endpoint Security |
Use modern anti-malware software |
Shared |
**Security Principle:**
Use anti-malware solutions capable of real-time protection and periodic scanning.
**Azure Guidance:**
Microsoft Defender for Cloud can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and on-premises machines with Azure Arc configured, and report the endpoint protection running status and make recommendations.
Microsoft Defender Antivirus is the default anti-malware solution for Windows server 2016 and above. For Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection), and Microsoft Defender for Cloud to discover and assess the health status. For Linux VMs, use Microsoft Defender for Endpoint on Linux.
Note: You can also use Microsoft Defender for Cloud's Defender for Storage to detect malware uploaded to Azure Storage accounts.
**Implementation and additional context:**
Supported endpoint protection solutions:
https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions-
How to configure Microsoft Antimalware for Cloud Services and virtual machines:
https://docs.microsoft.com/azure/security/fundamentals/antimalware
|
n/a |
link |
5 |
CIS_Azure_2.0.0 |
7.6 |
CIS_Azure_2.0.0_7.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.6 |
7 |
Ensure that Endpoint Protection for all Virtual Machines is installed |
Shared |
Endpoint protection will incur an additional cost to you. |
Install endpoint protection for all virtual machines.
Installing endpoint protection systems (like anti-malware for Azure) provides for real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. These also offer configurable alerts when known-malicious or unwanted software attempts to install itself or run on Azure systems. |
link |
11 |
NZ_ISM_v3.5 |
SS-3 |
NZ_ISM_v3.5_SS-3 |
NZISM Security Benchmark SS-3 |
Software security |
14.1.9 Maintaining hardened SOEs |
Customer |
n/a |
Whilst a SOE can be sufficiently hardened when it is deployed, its security will progressively degrade over time. Agencies can address the degradation of the security of a SOE by ensuring that patches are continually applied, system users are not able to disable or bypass security functionality and antivirus and other security software is appropriately maintained with the latest signatures and updates.
End Point Agents monitor traffic and apply security policies on applications, storage interfaces and data in real-time. Administrators actively block or monitor and log policy breaches. The End Point Agent can also create forensic monitoring to facilitate incident investigation.
End Point Agents can monitor user activity, such as the cut, copy, paste, print, print screen operations and copying data to external drives and other devices. The Agent can then apply policies to limit such activity. |
link |
17 |
RBI_CSF_Banks_v2016 |
13.1 |
RBI_CSF_Banks_v2016_13.1 |
|
Advanced Real-Timethreat Defenceand Management |
Advanced Real-Timethreat Defenceand Management-13.1 |
|
n/a |
Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise. |
|
27 |
RBI_CSF_Banks_v2016 |
13.2 |
RBI_CSF_Banks_v2016_13.2 |
|
Advanced Real-Timethreat Defenceand Management |
Advanced Real-Timethreat Defenceand Management-13.2 |
|
n/a |
Implement Anti-malware, Antivirus protection including behavioural detection systems for all categories of devices ???(Endpoints such as PCs/laptops/ mobile devices etc.), servers (operating systems, databases, applications, etc.), Web/Internet gateways, email-gateways, Wireless networks, SMS servers etc. including tools and processes for centralised management and monitoring. |
|
22 |
RBI_CSF_Banks_v2016 |
15.1 |
RBI_CSF_Banks_v2016_15.1 |
|
Data Leak Prevention Strategy |
Data Leak Prevention Strategy-15.1 |
|
n/a |
Develop a comprehensive data loss/leakage prevention strategy to safeguard sensitive (including confidential)business and customer data/information. |
|
8 |
RBI_CSF_Banks_v2016 |
15.3 |
RBI_CSF_Banks_v2016_15.3 |
|
Data Leak Prevention Strategy |
Data Leak Prevention Strategy-15.3 |
|
n/a |
Similar arrangements need to be ensured at the vendor managed facilities as well. |
|
5 |
SOC_2 |
CC6.8 |
SOC_2_CC6.8 |
SOC 2 Type 2 CC6.8 |
Logical and Physical Access Controls |
Prevent or detect against unauthorized or malicious software |
Shared |
The customer is responsible for implementing this recommendation. |
Restricts Application and Software Installation — The ability to install applications
and software is restricted to authorized individuals.
• Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that
may be indicative of unauthorized or malicious software.
• Uses a Defined Change Control Process — A management-defined change control
process is used for the implementation of software.
• Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software
is implemented and maintained to provide for the interception or detection and remediation of malware.
• Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been
transferred or returned to the entity’s custody for malware and other unauthorized
software and to remove any items detected prior to its implementation on the network. |
|
53 |